Bekker's Blog

With Azure Sphere, Microsoft Makes a Play for the Center of IoT Security

Microsoft outlined a major new security vision this week called Azure Sphere that aims to secure the billions of devices on the Internet of Things (IoT) from device hardware to software to cloud, and gives Microsoft a central role.

Brad Smith, Microsoft president and chief legal officer, announced the initiative on Monday during a security news briefing in San Francisco timed to coincide with the start of the 2018 RSA Conference.

"What we're announcing today is Azure Sphere. It is an end-to-end IoT solution. It goes where...no company has gone before," Smith said.

The Azure Sphere solution has three parts: Azure Sphere MCUs, the Azure Sphere OS and the Azure Sphere Security Service.

Azure Sphere MCUs: The first part is a microcontroller unit (MCU), the chips that power IoT devices. Microsoft has developed a new class of MCUs, which it also calls the Azure Sphere MCU or Azure Sphere chip. Microsoft plans to license the intellectual property of the new MCUs royalty-free for silicon partners interested in developing and manufacturing Azure Sphere chips. A major element of the chips is the Microsoft Pluton Security Subsystem for creating a hardware root of trust, storing private keys and executing cryptographic operations. Other elements of the chips include network connectivity, Microsoft I/O firewalls, an application processor, a real-time processor, flash memory, SRAM and multi-plexed IO, according to a diagram.

[Click on image for larger view.]Brad Smith, Microsoft president and chief legal officer, holds up a microcontroller unit during a security news briefing in San Francisco. (Image source: Microsoft)

Azure Sphere OS: The second part is an operating system for IoT devices built on a Linux kernel, the first time Microsoft has released an OS built on Linux. According to Microsoft, the Azure Sphere OS will offer a trustworthy, defense-in-depth platform via secured application containers and a security monitor.

Azure Sphere Security Service: The cloud component is the Azure Sphere Security Service, which Microsoft describes as a turnkey cloud security service. Elements include certificate-based authentication for all communication, device authenticity checks, device status and health monitoring, automated updates of the Azure Sphere OS, and device software deployment services. The security protections through the service are designed to last for a 10-year device lifetime.

Currently, Azure Sphere is in a private preview, and Microsoft is working with select hardware providers. The first Azure Sphere chip is being developed by MediaTek Inc., which built the MT3620 as a reference architecture for Azure Sphere with Microsoft and is now sampling the chip with some customers. The company expects broad public availability for the MT3620 in the third quarter of this year.

"MediaTek has a long history of working with Microsoft on specific SoC [system on a chip] designs that meet demanding connectivity needs," said Jerry Yu, MediaTek corporate vice president and general manager of the Intelligent Devices Business Group, in a statement Tuesday. "On top of our close ties with Microsoft and design expertise, Microsoft had a vision we also believed in."

According to a blog by Galen Hunt, partner managing director at Microsoft for Azure Sphere, a first wave of Azure Sphere devices will be "on shelves" by the end of 2018. He also promised universally available dev kits by mid-2018.

Arm Ltd. was also another early partner, working closely with Microsoft to incorporate its Cortex-A application processors into Azure Sphere MCUs, according to a Microsoft page detailing the Azure Sphere silicon ecosystem. Other partners represented on that page include Hilscher, LitePoint, LongSys, Nordic, Nuvoton, NXP, Qualcomm, Seeed Studio, Silicon Labs, ST Micro, Toshiba and VeriSilicon.

During the briefing, Smith suggested why Microsoft thinks the time is right to roll out a significant IoT security initiative.

"There are going to be 9 billion of these MCU-based devices shipped this year. Think about that. For every person on the planet, there will be more than one of these MCU devices shipped. They literally will be in the toys of our children, they literally will be in our kitchens and our refrigerators, they will be in every room in our house," Smith said. "Today, fewer than 1 percent of those MCUs are connected to a network or the Internet. But that is changing, and it's going to continue to change. And what it fundamentally means is that our homes and our offices and the infrastructure of the future will literally be only as secure as the weakest link."

Smith also cited the Mirai botnet as a harbinger of the types of security threats that will become more common as IoT expands, and as a reason that a holistic security approach is needed.

"It was in 2016 that the Mirai attack basically enabled hackers to take control of 100,000 devices and use it to launch a DDoS attack by turning those devices into part of a botnet. It was an attack that, on a single day, basically took the East Coast of the United States off of the Internet," he said, reinforcing an idea that he discussed earlier in his talk and in a related blog post. The idea is that Microsoft and others in the tech sector have the first responsibility to address security issues.

"We operate the platform. We unfortunately are the battlefield in many ways," he said.

Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.